How To Test Authoritative Zones (So You Think You Are Signed)

So we've generated some keys, run some commands, and uploaded some data to our parent zone. How do we know our zone is signed correctly? Here are a few ways to check.

Look for Key Data in Your Zone

One of the ways to see if your zone is signed, is to check for the presence of DNSKEY record types. In our example, we created two keys, and we expect to see both keys returned when we query for them.

$ dig @ DNSKEY +multiline +noall +answer

; <<>> DiG 9.10.1 <<>> @ DNSKEY +multiline +noall +answer
; (1 server found)
;; global options: +cmd		300 IN DNSKEY 256 3 8 (
				) ; ZSK; alg = RSASHA256; key id = 17694		300 IN DNSKEY 257 3 8 (
				) ; KSK; alg = RSASHA256; key id = 06817

Look for Signatures in Your Zone

Another way to see if your zone data is signed is to check for the presence of signature. With DNSSEC, every record[3]now comes with at least one corresponding signature known as RRSIG.

$ dig @ SOA +dnssec +multiline

; <<>> DiG 9.10.1 <<>> @ SOA +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31466
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags: do; udp: 4096

				2014102111 ; serial
				10800      ; refresh (3 hours)
				1080       ; retry (18 minutes)
				2419200    ; expire (4 weeks)
				900        ; minimum (15 minutes)
				)		300 IN RRSIG SOA 8 2 300 (
				20141121122105 20141022112105 17694
				/nxVPrckU4/mpeUoFVjMnT49JkVJmgck63esPEU= )

The serial number was automatically incremented from the old, unsigned version. Named keeps track of the serial number of the signed version of the zone independently of the unsigned version. If the unsigned zone is updated with a new serial number that's higher than the one in the signed copy, then the signed copy will be increased to match it, but otherwise the two are kept separate.

Examine the Zone File

Our original zone file remains untouched, named has generated 3 additional files automatically for us (shown below). The signed DNS data is stored in and in the associated journal file.

# cd /etc/bind/db
# ls

A quick description of each of the files:

  • .jbk: transient file used by named
  • .signed: signed version of the zone in raw format
  • .signed.jnl: journal file for the signed version of the zone

These files are stored in raw (binary) format for faster loading. You could reveal the human-readable version by using named-compilezone as shown below. In the example below, we are running the command on the raw format zone to produce a text version of the zone

# named-compilezone -f raw -F text -o
zone loaded serial 2014112008 (DNSSEC signed)
dump zone to

Check the Parent

Although this is not strictly related to whether or not the zone is signed, a critical part of DNSSEC is the trust relationship between the parent and child. Just because we, the child, have all the correctly signed records in our zone doesn't mean it can be fully validated by a validating resolver, unless our parent's data agrees with us. To check if our upload to the parent is successful, ask the parent name server for the DS record of our zone, and we should get back the DS record(s) containing the information we uploaded in the section called “Upload to Parent Zone”:

$ dig DS

; <<>> DiG 9.10.1 <<>> DS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49949
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;			IN	DS

;; ANSWER SECTION:  61179	IN	DS	06817 8 1 66D47CE4B4F551BE5EDA43AC5F3109E8C98E2FAE  61179	IN	DS	06817 8 2 71D9335416B7132519190A95685E18CBF478DCF4CA98867062777938F8FEAB89

External Testing Tools

The easiest ways to see if your domain name is fully secured is to use one of these excellent online tools.

  1. Verisign Labs DNSSEC Debugger:
  2. DNSViz:

Verisign DNSSEC Debugger


This tool shows a nice summary of checks performed on your domain name, and you can expand to view more details for each of the items checked to get a detailed report.

Figure 4.1. Verisign DNSSEC Debugger

Verisign DNSSEC Debugger



DNSViz provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace.

Figure 4.2. DNSViz


[3] Well, almost every record. NS records and glue records for delegations do not have RRSIG records like everyone else. If you do not have any delegations, then yes, every record in your zone will be signed and comes with its own RRSIG.